Attackers leveraging Google AppSheet notifications to hijack accounts | Kaspersky official blog
Threat actors are exploiting legitimate Google AppSheet email addresses to conduct sophisticated phishing campaigns targeting users of major companies. These phishing emails appear highly convincing, often addressing recipients by name and bypassing spam filters due to the legitimate Google-linked sender domain. Victims are lured into submitting personal information and credentials on spoofed websites, leading to account takeovers and potential secondary attacks. The campaigns impersonate well-known brands and use emotional manipulation tactics such as urgent warnings or enticing job offers. Attackers may also engage victims in prolonged conversations to increase trust. The phishing sites are multilingual and tailored to various regions. No official patch or fix applies as this is an abuse of a legitimate cloud service's email functionality. Users are advised to exercise caution, verify sender addresses carefully, and use security tools like Kaspersky Premium to detect phishing attempts.
AI Analysis
Technical Summary
Attackers leverage the legitimate Google AppSheet service to send phishing emails that impersonate major companies and trick users into divulging personal data and login credentials. These emails originate from the official noreply@appsheet.com address, which allows them to bypass many spam filters. The phishing messages use personalized greetings and emotional triggers such as fake job offers or security alerts to entice victims. Victims are directed to spoofed websites that mimic legitimate company portals where they enter sensitive information, including Google, Apple, or Facebook credentials. This results in account compromise and potential device takeover, especially in cases involving Apple IDs. The attackers also use conversational pretexting to build trust before delivering malicious links. The campaigns are global and multilingual. Since AppSheet is a Google cloud service, the vendor manages the infrastructure, but no direct patch exists for this abuse vector. Users must rely on detection and cautious behavior to mitigate risk.
Potential Impact
Successful phishing attacks lead to theft of personal data, user credentials, and full account takeover. Compromised accounts can be sold on the dark web or used for further targeted attacks. In cases involving Apple IDs, attackers may gain remote control of victims' devices, locking them out and potentially demanding ransom. The phishing emails bypass spam filters due to originating from a legitimate Google domain, increasing the likelihood of user interaction. The emotional manipulation tactics increase victim susceptibility. There is no direct vulnerability in AppSheet itself; rather, the threat arises from abuse of its legitimate email sending capabilities.
Mitigation Recommendations
There is no patch or fix for this threat as it exploits legitimate Google AppSheet email functionality. Users should be vigilant when receiving emails from noreply@appsheet.com, especially if claiming to be from major companies. Verify sender email addresses carefully and do not trust display names alone. Avoid clicking links or providing credentials in unsolicited emails. Use security solutions like Kaspersky Premium that detect phishing emails and block access to spoofed websites. Employ password managers to prevent autofilling credentials on suspicious domains. Enable two-factor authentication or use passkeys to protect accounts even if credentials are compromised. Cross-reference communications with official company contact channels before responding or providing information.
Attackers leveraging Google AppSheet notifications to hijack accounts | Kaspersky official blog
Description
Threat actors are exploiting legitimate Google AppSheet email addresses to conduct sophisticated phishing campaigns targeting users of major companies. These phishing emails appear highly convincing, often addressing recipients by name and bypassing spam filters due to the legitimate Google-linked sender domain. Victims are lured into submitting personal information and credentials on spoofed websites, leading to account takeovers and potential secondary attacks. The campaigns impersonate well-known brands and use emotional manipulation tactics such as urgent warnings or enticing job offers. Attackers may also engage victims in prolonged conversations to increase trust. The phishing sites are multilingual and tailored to various regions. No official patch or fix applies as this is an abuse of a legitimate cloud service's email functionality. Users are advised to exercise caution, verify sender addresses carefully, and use security tools like Kaspersky Premium to detect phishing attempts.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Attackers leverage the legitimate Google AppSheet service to send phishing emails that impersonate major companies and trick users into divulging personal data and login credentials. These emails originate from the official noreply@appsheet.com address, which allows them to bypass many spam filters. The phishing messages use personalized greetings and emotional triggers such as fake job offers or security alerts to entice victims. Victims are directed to spoofed websites that mimic legitimate company portals where they enter sensitive information, including Google, Apple, or Facebook credentials. This results in account compromise and potential device takeover, especially in cases involving Apple IDs. The attackers also use conversational pretexting to build trust before delivering malicious links. The campaigns are global and multilingual. Since AppSheet is a Google cloud service, the vendor manages the infrastructure, but no direct patch exists for this abuse vector. Users must rely on detection and cautious behavior to mitigate risk.
Potential Impact
Successful phishing attacks lead to theft of personal data, user credentials, and full account takeover. Compromised accounts can be sold on the dark web or used for further targeted attacks. In cases involving Apple IDs, attackers may gain remote control of victims' devices, locking them out and potentially demanding ransom. The phishing emails bypass spam filters due to originating from a legitimate Google domain, increasing the likelihood of user interaction. The emotional manipulation tactics increase victim susceptibility. There is no direct vulnerability in AppSheet itself; rather, the threat arises from abuse of its legitimate email sending capabilities.
Mitigation Recommendations
There is no patch or fix for this threat as it exploits legitimate Google AppSheet email functionality. Users should be vigilant when receiving emails from noreply@appsheet.com, especially if claiming to be from major companies. Verify sender email addresses carefully and do not trust display names alone. Avoid clicking links or providing credentials in unsolicited emails. Use security solutions like Kaspersky Premium that detect phishing emails and block access to spoofed websites. Employ password managers to prevent autofilling credentials on suspicious domains. Enable two-factor authentication or use passkeys to protect accounts even if credentials are compromised. Cross-reference communications with official company contact channels before responding or providing information.
Technical Details
- Article Source
- {"url":"https://www.kaspersky.com/blog/appsheet-phishing-emails/55827/","fetched":true,"fetchedAt":"2026-05-27T16:12:14.098Z","wordCount":2205}
Threat ID: 6a1717dee29bf47b50cf0351
Added to database: 5/27/2026, 4:12:14 PM
Last enriched: 5/27/2026, 4:12:27 PM
Last updated: 5/27/2026, 9:33:40 PM
Views: 38
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.